Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By brian.j.galloway on
Hello
I had a general question regarding the use of SHA1 and MD5 in the Drupal core code. Recently, I ran a static code scan of the Drupal 8.2.7 package and many "High" findings were identified in the scan. I understand that Drupal passwords are hashed using SHA512, but I want to understand why the obsolete functions of SHA1 and MD5 are littered throughout the Drupal core code?
Thanks in advance
Comments
Because someone thought they
Because someone thought they were a good idea to use in the places that they were used.
I know it's a ague answer, but with no specific examples, it's the only answer.
Use of MD5 and SHA1 hashing in Drupal Core
That's fair Jaypan. We have many findings that found the use of SHA1 or MD5 so I kept it vague for that reason. Here is an example in case it is helpful.
vendor/phpunit/phpunit-mock-objects/src/Framework/MockObject/
Generator.php, line 845 (Weak Cryptographic Hash)
842 if ($className == '') {
843 do {
844 $className = $prefix . $type . '_' .
845 substr(md5(microtime()), 0, 8);
846 } while (class_exists($className, false));
847 }
That's just a random value
That's just a random value generator, there isn't any necessity for security with that. It's just hashing the current time with md5(), then grabbing the first eight characters of the hash.
In addition: that is not drupal core!
It is phpunit in the vendor folder. Anything in there is as is, it doesn't mean it is used in drupal core!
Oh, I didn't even notice that
Oh, I didn't even notice that!